Since the original post, Zenobia and myself received many responses. The twitter feeds have been extremely busy. I want to provide a short update here and will follow up with an updated summary a bit later in the week.

In the Facebook group that we started, “Starting a new dialogue”, Winn Schwartau stated a challenge to exhibitors, he said: “HOW ABOUT A CHALLENGE? … Some really smart person can/should/etc. write up a simple short online “Declaration of Booth Professionalism” and get vendors to sign up. …

1. No booth babes.2. Tell us what you do in 30 secs or less (signage, etc.)3. Have informed people in the booth

That’s all I’m looking for. “

Debbie Rosen of Sonatype stepped up and responded with this declaration:

I, the undersigned vendor, agree to uphold the standards of professionalism as a conference participant at all future events. Specifically, I agree to abide by the following 4 common-sense laws of “usefulness” to provide information that is valuable to all conference attendees. These include:1) The use of meaningful words (i.e. not jargon or sales-y) on my booth that provide a summary of what we do so the passer-by can choose to stop or not stop; 2) The engagement of booth personnel that are effectively skilled to deliver the answer to “what do we do?” in one minute or less; 3) The utilization of easily digestible demos and/or collateral that help the visitor delve to the next level of information, should they be interested. (note: whitepapers are great but not digestible); 4) The banning of booth babes or other gimmicks that scream “I don’t know how to market so I will do it the lazy way.”

At the recent RSA conference, it was apparent the exuberance and spending of the 90s are back, and with them, the dreaded accessory known as “booth babes”. In many areas of the show floor, scantily clad women scanned badges, strutted their stuff, hawked wares they knew nothing about, and in general, made many conference goers, men and women, highly uncomfortable.

One company even had their female receptionist dressed in hot soccer pants greeting visitors at the booth while the demo-giving male engineers donned soccer referee shirts.

But still, we had them galore. In between discussions of exploits and Big Data, a teen beauty queen was trotted out to sign autographs; Jane Doe here handed out data sheets from her skin-tight bustier, and mystery woman there displayed her acrobatic skills in barely-there fabric before the demo went underway.

All of which made the implication that, for those companies that chose to do so, the promotion of their technologies/products was not possible without scantily-clad women, it feels like a cruel insult to the efforts of the men and women who worked hard to create, build, Q/A, and demo the product.

It was no less harsh an offense to the intelligence of many, both men and women, who walked the show floor with the goal to learn, to engage in intellectual exchanges, and to debate serious issues.

Putting in the most tolerant light, this behavior is a “lazy way of marketing”, Debbie Rosen of Sonatype said, “this happens when you do not have any creative or otherwise more positive ways of getting attention.”

We are not in the “Mad men” era. Women have stepped up and “leaned in”. However, statistics still show that women’s participation in computer science and engineering remains below 30% [1] . As an industry, we have a collective obligation to promote, to foster, rather than discourage and demean the next generation of women IT leaders.

Writing blog posts and expressing outrage on social media alone won’t work. We need to make this issue a practical, rather than a rhetorical one. Those of us who are in positions of power, those of us in sales, marketing, and executive positions, need to do something real to effect changes.

Let’s consider first and foremost, instilling in our own companies the “radical thinking” that we can showcase technology simply by celebrating the ideas and ingenuity went into its creation, and to establish the belief that we can differentiate and standout by articulating the strength of, rather than the distractions from, the products and technology that many of us have worked so hard to create.

Zenobia Godschalk, CEO of ZAG Communications, and myself have created this Facebook group: Starting a new dialogue. Please consider going to the FB group to pledge your support — that you will leverage your influence to ensure that your company/organization will not use booth babes or otherwise sexually objectify either men or women for PR/marketing purposes at trade shows.

Like this:

As a former analyst (I spent 6 years as Research VP at Forrester), I have been asked many times “what makes a good analyst presentation?”

Throughout my time at Forrester, I saw countless vendor presentations; some great, some mediocre, others were a downright waste of time. As I began reflecting on all the presentations and demos that I sat through, it became apparent that how few marketers actually know the art of making an impactful, concise presentation that leaves a long-lasting impression.

Years ago, I took a briefing from Google Apps team when they released Google App Engine. The entire presentation had 10 slides. We finished it within 30 minutes; I understood precisely what they were trying to say; they said it with finesse, and it rocked my world. Early last year, I had the good fortune of being briefed by Sonatype. The team over there brought a visually compelling deck with precisely-crafted messaging and highly organized content; it was another memorable experience. Other notable encounters included those with Kony Solutions,MobileIron, and Dome9.

What do all these presentations have in common?

They are all concise, to the point, with a central message to drive. With little superfluous information, and good support evidence to boot, they were all fashioned by the hands of an experienced marketer who was also an excellent communicator.

A good communicator can get points across and leave a powerful impression with a minimum amount of content. My thesis is that anyone can do a good presentation in eight slides, as long as you focus on this structure,

What is the problem & why is it interesting? (1 or 2 slides)

How do you solve the problem? ( 3 slides)

Why are you uniquely qualified to solve the problem? (1 slide)

Interesting customer deployments (1 slide)

Forward looking roadmap (1 slide)

Takeaways (1 slide)

1. What is the problem you are solving and why is it interesting?

If you can’t explain the problem in one or two slides, perhaps the problem is not that compelling. A common mistake of marketers is overhyping the problem. Trust me, a good analyst knows the problem space—you don’t need to pile on statistics and market trends to convince him/her.

On this slide, you need to articulate the problem, indicate the scope, and get the analyst interested. Tall order, you bet it is, but it can be done. Shown below was Google’s opening slide that teed up the motivation for Google App Engine.

Figure 1: Google’s first slide motivating the problemm.

There is very little text on this slide, but it includes everything that needs to be said. The slide conveyed that there are many development paradigms, languages, and platforms, which can lead to complex application development tasks.

Sonatype used two slides to motivate and frame the problem.

Both slides have well organized content, visually interesting, and a focused message.

At this point, the analyst should know what the problem is that you are trying to tackle and her interest, hopefully, is heightened because of the way you described the problem. Now, onto the next step…

2. How do you solve the problem?

This is of course the meat of the presentation. In this section, you should cover these basics:

You value proposition

Description of your technology

Ways to operationalize your product

Google put up one slide on App Engine, what it is (Python and Java run-times), what it includes (Servlet and APIs), and some sample applications (cron jobs and DB I/O). (see below)

Google also had another slide on Secure Data Connector to show how you would access data behind the firewall. Google was light on value proposition, but we got that through discussions.

Sonatype’s three slides mirrored the three basic points perfectly. First was the value proposition slide.

And there was the system description.

Finally the operational picture.

It’s extremely important to keep in mind, as you develop content for this section, that your aim should be to describe how the product help solve customer’s problem, not how awesome the product is. There is a subtle but important difference here.

Anton Chuvakin from Gartner, a friend of mine, has always had a beef on this issue and said multiple times that how few people understand the difference between the two. But once you do, and know how to leverage it, your presentation and demo will be on a different level.

Be prepared to engage in an active discussion in this part of the presentation. Encourage the analyst to ask as many questions as he/she cares to.

3. Why are you uniquely qualified to solve the problem?

This one is a bit tricky. Here you need to highlight your strength – what you are doing that your competitors are not doing or not capable of doing. This is often the most contentious of the discussion topics. Your best bet is to focus on your strength, rather than the competitor’s weaknesses. If the analyst is any good, he or she will be naturally suspicious if you talk down your competitor too much.

A few things to keep in mind when you articulate your competitive strength:

– Be proud of your technology: Does it show, in the text, in the way content flows, and in the way you talk, that you are proud of what you will present? Do you believe in the technology? You need to believe to be proud. Being proud is infectious and it will set a tone for the presentation.

– Focus on your strength, not other’s weaknesses: It is the analyst’s job to compare you against your competition. Your job is to ensure that the analyst is well informed of your strength.

– Articulate your value with facts, not claims: Statements such as: “Because we already have function A and function B, we are in a good position to provide deep integration from these two vantage points” will be well received. In contrast, statements like “no one else can do this because we are the number one vendor in the market” will go over poorly.

The slide below is how Google articulated why they are uniquely qualified to solve the problem – with 1500 businesses signing up to Google Apps, more than half a million corporate accounts, and millions of active users. These are indeed powerful statistics.

And below is how Sonatype communicated why they are uniquely positioned. They handle 8 million component requests a day, with an extensive coverage of open source component usage, popularity, and development tool integration.

4. Interesting customer deployments

I cannot stress enough how important it is to have customer examples/testimonials as part of your content. In fact, you should not go in front of an analyst unless you have good customer deployment examples to discuss. They do not have to be named customers, but it’s highly desirable to show an interesting customer use case (or two) to ground the discussion. I would be even more interesting if you can show a customer deployment scenario with uncommon challenges, e.g., scale, complexity, or problem nature, that you technology helped to tackle.

This was Google’s customer adoption slide.

Followed by another example,

Sonatype did it slightly differently. On each slide that explained their technology, they included a user quote at the bottom. On the slide depicting IDE integration, the quote says: “I can quickly pick the best component from the start, eliminating downstream work”. On the slide discussing real time component selection, the quote says: “Our research time has been reduced significantly with the component suggestion info”

Customer’s words, not yours. Plain and simple.

5. Forward-looking roadmap

This maybe optional for some presentations, but it’s always fun to show where you’d go next. Google summed it up in one simple slide – launching partnerships.

6. Takeaways

Think about what you want the analyst to remember, even if she doesn’t remember anything else from the presentation. Focus on that as your take-way slide. Sonatype did a nice job of exactly that; the final slide was simple, direct, and impactful. Nearly a year later, I still remember the “Go fast, be secure” tag line.

So there you have it – the secret to making a good analyst presentation.

Before I end this blog post, it bears repeating a few “Do’s” and “Don’ts” in analyst communication.

Do’s

Think low entropy. Focus on what you want to say and articulate that. Do not overwhelm the presentation with unnecessary or secondary information. Remember, you only have 30 minutes or 1 hour with the analyst, edit yourself and make it count.

Be visual: Usually when the analyst takes a vendor briefing, she is on the phone staring into a computer monitor. Please, give her something visual to keep her interested.

Show how you solve problems, not how you use the product: The analyst can care less about how one might use your product, if the product is not interesting or the value proposition is not compelling. Frame your discussion in the context of solving customer’s problems is the only way to keep a bleary-eyed analyst engaged throughout the discussion.

Research the analyst: Read their reports ahead of time. Understand the point of view of the analyst. Understand how she defines the market and talk to that angle. Remove quotes form Gartner if you are talking to Forrester, and vice versa.

Stress test your presentation: You only get to make the first impression once. Before you get in front of the analyst, put the presentation in front of your customers, run it through your partners, and get them to critique it.

Don’ts

Don’t start with a solution and look for a problem: Too often we get briefings that are clearly solutions looking for problems. A good analyst who sat through many presentations can see through that quickly and will lose interest before you can say “next slide”. Again, if it takes a while to explain why you work on this problem, the problem ain’t worth it.

Don’t dwell on your competitors: Focus on your solution and your strength. Unless the analyst asks, do not spend time discussing your competitors. Describing what your competitor can and cannot do is a minefield of a topic that is best avoided.

Don’t jam your slide with text: There is nothing worse than sitting in front of webex and seeing it load a slide that looks like this one below. (This was from an actual vendor presentation, the names of which have been removed). And please, under no circumstances should you read word after word from the slide. That is the single biggest offense you can commit for a remote presentation – a sure way of putting your audience to sleep.

Don’t treat the analyst as an extension of your marketing department: Remember that the analyst does not work for your company; they do not have to care what you have to say. It is your job to get them intrigued and interested. Your goal should not be to get them to write about you (if you start with this goal, you will most likely fail). Your goal, instead, is to get them interested in what you have to say. As long as there is interest, there will be possibilities.

Like this:

Last Thursday evening I went to a Churchillclub event: Scott McNealy in conversation with Ed Zander. I was attracted to the event because of the two speakers. Scott McNealy, the former CEO of Sun Microsystems, is a Silicon Valley legend. Ed Zander, the former CEO of Motorola and former COO and President of Sun, is another highly influential figure in the high tech industry.

The event turned out to be much larger than the typical Churchuillclub get-togethers–apparently more than half of the attendees were ex-Sun employees. At the cocktail hour, all round people were catching up, embracing, and reminiscing on old times at Sun.

McNealy walked in around 6:30, looking fit and thin. You know as soon as he is in the room, because practically everyone stood up to greet him. As he moved about, there was a human bubble moved with him around the room. The ex-Sun folks lined up to shake his hands; many had tears in their eyes. “Sun was an institution. You have to be there to understand”, the ex-SUN employee sitting to my right said.

The evening started with Zander playing a music video of McNealy singing in a “rock band”. The video was clearly taken in the heyday of Sun, which included footages of McNealy and co. kicking two SGI boxes off the roof of a Sun building with McNealy singing the lyrics: “The Sun will always shine”. <Hilarious>. There are clearly some inside jokes in the video, as the room was rolling with laughter’s.

As the evening went on, I learned a great deal about Mr. McNealy and his time as Sun’s chief. But what came across more loud and clear than anything else were his staunch political views. When asked which corporation is the “evil empire” today, McNealy responded: “Big corporations are not the problem, I think the biggest threat to innovation and our economy today is the public sector.” Later on, he said: “More than 20% of the GDP is tied up in the public sector, and that is what is stifling innovation”. Clearly not a fan of President Obama, when asked to describe Obama in one word, McNealy responded: “Unfortunate”.

McNealy was vocal about Sun’s achievements. He said: “If we didn’t put TCP/IP in the computers we built back in the days, there will not be cloud computing today.” Sun is credited with the phrase: “The network is the computer”, a visionary phrase, perhaps, but to say without Sun computers, there would not be cloud computing is, with all due respect, a bit overreaching. He said the best decision he ever made at Sun was bringing Bill Joy onboard. <No argument there>. McNealy also acknowledged a few mistakes. He said: “If we took Solaris and put it on a commodity Intel chip, and slap together some pizza boxes, Linux would not be around today. Companies like Google and Amazon will be running Solaris.” Yep. Hindsight is 20-20. On archenemy Microsoft, McNealy said, in a resigned tone: “They clearly won, they are still around.”

At one point in the interview, Zander asked: “I remember we were this close to buying Apple, for $5 or $6 a share, what happened?” Interesting. This was a fact that I had known. McNealy said: “A tough i-banker on Apple’s side spoiled the deal … Heck, there wouldn’t have been any iPhones/iPads if we had bought Apple, ‘coz I would’ve screwed that one up too!” The audience laughed and the Twitterverse heaved a collective sigh: “Ah, we dodged that one”. (For those of you who are counting scores out there, Sun instead bought Cobalt networks. Apple’s share today stood at $350)

No. McNealy is not a Facebook or Twitter user. When asked about social media, McNealy said: “I just don’t see what you can do with social media that you cannot do with good, old-fashioned email.” <Really?> McNealy compared Twitter to mass mailing, and questioned whether LinkedIn provides anything beyond what emails offer. On the point of user-generated content, he said: “Emails ARE user-generated content”. He later added: “Guess what Facebook’s latest invention is, it’s email!” <Hmm… I’m starting to detect a pattern here… > When Zander asked him to describe Facebook in oneword, McNealy replied: “Zucks”. We also learned that McNealy was not a fan of Lady Gaga. When Zander asked him what he thought of the fact that Lady Gaga had 8+ million followers on Twitter, “That’s just unfortunate.” McNealy said.

A point McNealy went back to over and over again in the course of the evening was that government should not be meddling with the private sector. He contended that corporations are the stewards of innovation, and as such, they should be left alone. Of course McNealy completely failed to mention that the practices of some of the corporations, acting out of greed, nearly collapsed the American financial system and in turn ignited a global economic crisis.

The night closed with one final question from the audience, a former Sun employee. “The dotcom crash was hard on a lot of companies”, the audience member said, “but there were still plenty of opportunities around; e-commerce was growing, commodity computing market was growing, I want to know why we missed the boat. I am not sure that I got a satisfactory answer form tonight’s discussion.” Before McNealy ventured an answer, Zander said, “Let’s not go there. Let’s move on. Tonight is about celebration”

McNealy was clearly a natural leader. He was articulate, passionate about what he believed in, charismatic, occasionally self-deprecating, all qualities of a good leader. It was easy to see why 2/3 of the room respected and revered him. But the man couldn’t be more wrong about social media, and his complete conviction that he was right was simply mindboggling.

At the end of the evening, as the crowd dissipated and I drove west on 237 in the light rain, with a Lady Gaga song appropriately playing on the radio, I thought about my evening at the Churchill club and caught myself saying: “Lady Gaga: 1, Scott McNealy: 0”.

Share this:

Like this:

Recently I’ve been reading the excellent work by Jamais Cascio and thinking about the concept of Openness. Much of Jamais’ work is focused on geoengineering but the concept of openness has profound implications on many fields, including computer security.

For those of you who have been following the unfolding story of HB Gary Federal and the Anonymous Group, this story is what Hollywood movies are made of. In fact, I don’t think a script writer could have penned any better than the real life version. If you haven’t been following the minute details of this story, this Tech Herald article is an excellent read on how the whole thing started.

A condensed version of the events is as follows,

A week before RSA 2011, the CEO of HB Gary Federal, Aaron Barr, said in a Financial Times interview that his firm had infiltrated and discovered the identities of the high level operatives for the well known Internet hacktivism group Anonymous, and that he planned to publicly discuss his findings at the RSA conference.

Anonymous responded in force and compromised the entire infrastructure of HBGary and HBGary Federal (HGF). They obtained confidential data, erased files, and defaced both companies’ websites.

Anonymous subsequently released 4TB worth of confidential company emails. In the emails that have been disclosed to date, Barr was seen engaging in discussions with a major US bank (believed to be Bank of America) to use HGF’s offensive attack tactics to launch a cyber attack against Wikileaks. The rumor mill at RSA had it that the said US bank was going to pay HB Gary $600,000 a month to carry out this attack campaign.

Whola, what seemed like a classic white-vs-black hat story just turned interesting. What’s more interesting is that prior to this whole incident, WikiLeaks had been making noise that they were about to publish data from a major US financial institution (What? Interesting, you say?) What apparently was also discussed in those emails was that Barr would use, among other techniques, exclusive zero-days for the attack against Wikileaks. This will make the attack extremely dangerous.

No one came off this looking pretty. Not only HBGary, a company that claims malware analysis their business, was unable to properly secure their infrastructure, the “victim” turns out is plotting a cyber war itself. HBGary is now claiming that the leaked data had been tampered with, implying that the discussion between BofA and Barr isn’t authentic, while Anonymous (and other security researchers) is saying that Barr’s initial research (which you can read here in PDF) was flawed in that some of the identities of the individuals that he claimed to be part of Anonymous group had nothing to do with the group. Anonymous argued that if Barr’s research was allowed to continue, it may put innocent individuals in jail (as Barr was supposedly working with the FBI).

At RSA last week, HB Gary was noticeably absent from the conference, their booth instead displayed a sign that reads: “A group of aggressive hackers known as “Anonymous” illegally broke into computer systems and stole proprietary and confidential information from HBGary, Inc. …. In addition to the data theft, HBGary individuals have received numerous threats of violence including threats at our tradeshow booth…”.

This event ignited an Internet debate storm; is it ethical for security companies to engage in offensive tactics? Traditionally, security’s role is to defend, not offend. But as modern warfare migrates from physical battlefields to the digital frontier, more and more nation states and companies engage in offensive campaigns. Persons with deep security expertise are hot commodities in this game—it can be an extremely lucrative undertaking. But as you go down this road, is there really a difference between the black and the whitehats anymore?

This is where the link to Openness (or the lack of it) comes in: as we all know, and the execs at BofA and HGF reinforce, that zero-days can be powerful weapons. Exclusive knowledge of zero-days gives the possessor incredible power, and in cases such as these, almost always lead to corruption and misuse. It can be argued that we are better off as an industry if openness is employed as a means of elevating collective knowledge and also as a way to enforce checks and balances, so that no one company or individual is significantly more powerful in its knowledge and expertise than others. In such an industry, cyber offense is only a distant possibility as you will be on a level playing ground as your adversaries.

Creating such an open culture for the security community requires a shift in thinking, because this is an industry that thrives on secrecy and obscurity. It requires that we recognize that secrecy, obscurity, and the act to restrict information can ultimately do more harm than good. It requires that we promote open research and build an ecosystem that rewards openness.

How to achieving this open culture is the question on the table. Let’s discuss one specific example how some form of openness is achieved–a bug bounty program. I was a skeptic, in the beginning, of the merits of such bounty programs, but I have come around. Indeed, I’ve come to realize that economic incentives maybe one way we can achieve openness–in a bug bounty program, the researcher is encouraged to share his/her findings, through economic incentives, with the software vendor and ultimately with the entire community.

Economic incentives alone don’t always work, as that is one card the dark side can play as well. Other means, such as increasing collaboration, technological transparency, and … must be explored. But the steps we take today to promote an open culture will shape the course of the industry and help to determine whether we head towards a scenario of digital apocalypse (as Eddie Schwartz of Netwitness calls it on a recent RSA panel) or a more responsible, democratic, and open model for computer security.

Share this:

Like this:

Michael Brzozowski, the creator of Watercooler, the internal social media system for HP, recently left HP for Google.

Talents move around all the time, especially in the bay area where the industry is rife with interesting opportunities. However, in this case, the departure of Mr. Brzozowski has put the fate of the Watercooler system in question.

To understand why this is worth blogging, we need to first understand what the Watercooler system is about. Many of you may not know this, but Watercooler is a social media system that currently has 100,000 users! Brzozowski originally started Watercooler aggregate RSS feeds from across the company. Overtime, it has morphed into a social media aggregation platform that aggregates content from HP’s internal wikis, microblogs, various discussion forums, and social bookmarks. The system has a documented set of open APIs and supports a powerful and expressive set of content filters across different social media systems. It is also integrated with HP’s user directories.

Brzozowski wrote a nice paper on a study he conducted with Watercooler data. Published in Group 2009, the study revealed some interesting facts about social media usage inside HP. Perhaps one of the most concrete statistic to date arguing for the value of enterprise social networks, Brzozowski’s paper, points out that 69% of all Watercooler blog users subscribe to content generated by someone outside their business unit. This kind of cross-company instant collaboration is a huge benefit social media system provides its user community.

Unfortunately, though Watercooler can be considered a success from HP labs, it has not generated the kind of support from HP proper. Brzozowski has been trying for the last 2 years to get the system out of HP labs and into the hands of HP operations. But his efforts proved futile – HP operations were not interested, or at least not interested enough to take actions. After Brzozowsi’s departure, another researcher from HP labs took over the system. But this person is only doing it on a volunteer basis — he’s got his other core tasks. As we all know, researchers are not great maintaining production systems, especially one that requires such scale and performance. Now you might ask why HP would ignore a social media system that’s already got such a large user base? Do you know how many social media start ups would kill to have 100,000 users? Well, perhaps only HP can answer this question.

This whole thing came to its head a few weeks ago when some of HP’s executives were meeting with SalesForce. The latter mentioned Chatter, the new Social media system SFDC is launching at DreamForce this week. Chatter is a cool system, but is not nearly as developed or as widely used as Watercooler. Especially when you consider Watercooler had supported a documented API for users to modify for their own purposes, pro

The HP executives, after meeting with Salesforce, said about Chatter: “Hmm, that’s a good idea, we should have something like that.” [obviously this is a mock conversation, not the dude’s actual words]. Finally someone in HP said, “Well, we do have something like it, it’s called Watercooler”. The executive then said: “Really? Well, let’s take a look at that. Maybe we can make something out of it”.

As if on cue, Watercooler stopped working because the whole system had been running on one server (what? One server? You asked. Yep. You heard right, one server to support 100,00 users. That’s how Research Labs typically work). The researcher who had been supporting it after Brzozowski left was unable to get it up running again quickly.

HP labs had many top industry talents, but these people are now leaving the organization, for the reason that their work has not been properly respected and utilized. Last year, they lost one of their HP fellows, John Wilkes, to Google. In addition to the recent departure of Michael Brzozowski and Kevin Lai, a game theory specialist, Joe Pato, a noted Computer Security expert, though ostensibly still an HP person, has been spending most of his time at MIT. HP has come a long ways since the garage company days of Hewlett and Packard, but it seems like the company has lost some of its innovative spirit along the way. Yes, it’s difficult to remain innovative when you’ve got 30,000 employees. But people are the greatest asset of any organization, if you lose them, you lose the future of the company. This is why Google recently implemented measures of 10% payraise and bonuses to retain talents against the new-kids-on-the-block competitors like Facebook. Companies like HP should take notice. Innovations like Watercooler should have flourished instead of being left to flounder.

Share this:

Like this:

On Tuesday, popular tech gossip site Valleywag reported a hack targeting AT&T’s infrastructure that led to the accidental disclosure of 100,000 iPad owners’ email addresses.

As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support web application, traversed through a range of ICCIDs (Integrated Circuit Card identifiers),and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.

If this is indeed true, AT&T has done a poor job designing their web applications. Being able to guard against automated parameter traversal attacks is one of the first things you do to secure your web apps. An automatic parameter traversal attack can be launched fairly easily these days – it does not require sophisticated technology or advanced reconnaissance on the victim web application.

Included in the email addresses disclosed were several prominent celebrities, politicians, and high-profile industry figures, including Rahm Emanuel and Michael Bloomberg.

This attack apparently only affects iPad 3G users, not the Wifi-only iPads. AT&T has stated that this particular flaw on their web application has now been remediated.